feat: deploy remote signer in aztec infra (#16894)

Fixes
https://linear.app/aztec-labs/issue/TMNT-201/expand-deploy-aztec-infrayml-to-deploy-remote-signers

Author: AztecBot

spartan/aztec-keystore/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: aztec-mnemonic
+description: This chart derives private keys and addresses from a mnemonic
+type: application
+version: 0.1.0
+appVersion: "0.1.0"
+

spartan/aztec-keystore/templates/_helpers.tpl

@@ -0,0 +1,7 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "aztec-keystore.serviceAccountName" -}}
+{{- .Values.serviceAccount.name | default (printf "%s-%s" .Release.Name "keystore") }}
+{{- end }}
+

spartan/aztec-keystore/templates/batchjob.yaml

@@ -0,0 +1,133 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Release.Name }}-derive-accounts
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    spec:
+      serviceAccountName: {{ include "aztec-keystore.serviceAccountName" . }}
+      restartPolicy: OnFailure
+      volumes:
+        - name: shared
+          emptyDir: {}
+        {{- if .Values.mnemonic.fromSecret.name }}
+        - name: mnemonic
+          secret:
+            secretName: {{ .Values.mnemonic.fromSecret.name }}
+            items:
+              - key: {{ .Values.mnemonic.fromSecret.key | default "mnemonic" }}
+                path: mnemonic
+        {{- end }}
+      initContainers:
+        - name: derive
+          image: {{ printf "%s:%s" .Values.global.aztecImage.repository .Values.global.aztecImage.tag }}
+          imagePullPolicy: {{ .Values.global.aztecImage.pullPolicy }}
+          command:
+            - /bin/bash
+            - -c
+            - |
+              set -euo pipefail
+              NODES="{{ .Values.attesters.nodeCount }}"
+              ATTESTERS_PER_NODE="{{ .Values.attesters.attestersPerNode }}"
+              PUBLISHERS_PER_VALIDATOR_KEY="{{ .Values.publishers.perValidatorKey }}"
+              ATTESTER_KEY_INDEX_START="{{ .Values.attesters.mnemonicStartIndex }}"
+              PUBLISHER_KEY_INDEX_START="{{ .Values.publishers.mnemonicStartIndex }}"
+
+              {{- if .Values.mnemonic.fromSecret.name }}
+              MNEMONIC="/mnemonic/mnemonic"
+              {{- else }}
+              MNEMONIC="{{ .Values.mnemonic.value }}"
+              {{- end }}
+
+              for ((i=0;i<NODES;i++)); do
+                KS_FILE=/shared/attesters/keystores/node_$i.yaml
+                ADDR_FILE=/shared/attesters/addresses/node_$i
+                PUB_KS_FILE=/shared/publishers/keystores/node_$i.yaml
+                PUB_ADDR_FILE=/shared/publishers/addresses/node_$i
+
+                mkdir -p $(dirname $KS_FILE) $(dirname $ADDR_FILE) $(dirname $PUB_KS_FILE) $(dirname $PUB_ADDR_FILE)
+
+                truncate -s 0 "$ADDR_FILE"
+                truncate -s 0 "$KS_FILE"
+                truncate -s 0 "$PUB_ADDR_FILE"
+                truncate -s 0 "$PUB_KS_FILE"
+
+                for ((j=0;j<ATTESTERS_PER_NODE;j++)); do
+                  idx=$((ATTESTER_KEY_INDEX_START + ATTESTERS_PER_NODE * i + j))
+                  pk="$(cast wallet private-key --mnemonic "$MNEMONIC" --mnemonic-index "$idx")"
+                  addr="$(cast wallet address --private-key $pk)"
+
+                  [[ $j -gt 0 ]] && echo '---' >> "$KS_FILE"
+                  printf 'type: file-raw\nkeyType: SECP256K1\nprivateKey: %s\n' "$pk" >> "$KS_FILE"
+
+                  [[ $j -gt 0 ]] && printf ',' >> "$ADDR_FILE"
+                  printf '%s' "$addr" >> "$ADDR_FILE"
+                done
+
+                # Publishers: start index per node, then pack by validator j and publisher p
+                pub_base=$((PUBLISHER_KEY_INDEX_START + i * ATTESTERS_PER_NODE * PUBLISHERS_PER_VALIDATOR_KEY))
+                for ((j=0;j<ATTESTERS_PER_NODE;j++)); do
+                  for ((p=0;p<PUBLISHERS_PER_VALIDATOR_KEY;p++)); do
+                    pub_idx=$((pub_base + j * PUBLISHERS_PER_VALIDATOR_KEY + p))
+                    ppk="$(cast wallet private-key --mnemonic "$MNEMONIC" --mnemonic-index "$pub_idx")"
+                    paddr="$(cast wallet address --private-key $ppk)"
+
+                    # write keystore file-separated entries
+                    [[ $j -gt 0 || $p -gt 0 ]] && echo '---' >> "$PUB_KS_FILE"
+                    printf 'type: file-raw\nkeyType: SECP256K1\nprivateKey: %s\n' "$ppk" >> "$PUB_KS_FILE"
+
+                    # write addresses CSV per node
+                    if [[ $j -gt 0 || $p -gt 0 ]]; then printf ',' >> "$PUB_ADDR_FILE"; fi
+                    printf '%s' "$paddr" >> "$PUB_ADDR_FILE"
+                  done
+                done
+
+                echo "Generated config for attesters on node $i"
+              done
+          volumeMounts:
+            - name: shared
+              mountPath: /shared
+            {{- if .Values.mnemonic.fromSecret.name }}
+            - name: mnemonic
+              mountPath: /mnemonic
+            {{- end }}
+      containers:
+        - name: publish
+          image: {{ printf "%s:%s" .Values.global.kubectlImage.repository .Values.global.kubectlImage.tag }}
+          imagePullPolicy: {{ .Values.global.kubectlImage.pullPolicy }}
+          env:
+            - name: K8S_NAMESPACE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          command:
+            - /bin/bash
+            - -c
+            - |
+              set -euo pipefail
+
+              ATTESTER_KEYSTORE_SECRET_NAME="{{ .Values.attesters.keyStoreSecret.name | default (printf "%s-%s" .Release.Name "attester-keystores") }}"
+
+              kubectl -n "$K8S_NAMESPACE_NAME" create secret generic "$ATTESTER_KEYSTORE_SECRET_NAME" \
+                --from-file /shared/attesters/keystores \
+                --dry-run=client -o yaml | kubectl apply -f -
+
+              ATTESTER_ADDRESS_CM_NAME="{{ .Values.attesters.addressConfigMap.name | default (printf "%s-%s" .Release.Name "attester-addresses") }}"
+              PUBLISHER_KEYSTORE_SECRET_NAME="{{ .Values.publishers.keyStoreSecret.name | default (printf "%s-%s" .Release.Name "publisher-keystores") }}"
+              kubectl -n "$K8S_NAMESPACE_NAME" create secret generic "$PUBLISHER_KEYSTORE_SECRET_NAME" \
+                --from-file /shared/publishers/keystores \
+                --dry-run=client -o yaml | kubectl apply -f -
+
+              PUBLISHER_ADDRESS_CM_NAME="{{ .Values.publishers.addressConfigMap.name | default (printf "%s-%s" .Release.Name "publisher-addresses") }}"
+              kubectl -n "$K8S_NAMESPACE_NAME" create configmap "$PUBLISHER_ADDRESS_CM_NAME" \
+                --from-file /shared/publishers/addresses \
+                --dry-run=client -o yaml | kubectl apply -f -
+              kubectl -n "$K8S_NAMESPACE_NAME" create configmap "$ATTESTER_ADDRESS_CM_NAME" \
+                --from-file /shared/attesters/addresses \
+                --dry-run=client -o yaml | kubectl apply -f -
+          volumeMounts:
+            - name: shared
+              mountPath: /shared

spartan/aztec-keystore/templates/rbac.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "aztec-keystore.serviceAccountName" . }}-role
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps","secrets"]
+    verbs: ["get", "create","update","patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "aztec-keystore.serviceAccountName" . }}-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "aztec-keystore.serviceAccountName" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "aztec-keystore.serviceAccountName" . }}-role
+{{- end }}

spartan/aztec-keystore/templates/serviceaccount.yaml

@@ -0,0 +1,9 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "aztec-keystore.serviceAccountName" . }}
+  annotations:
+{{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
+{{- end }}
+

spartan/aztec-keystore/values.yaml

@@ -0,0 +1,41 @@
+global:
+  aztecImage:
+    repository: aztecprotocol/aztec
+    tag: latest
+    pullPolicy: IfNotPresent
+  kubectlImage:
+    repository: bitnami/kubectl
+    tag: 1.33.4
+    pullPolicy: Always
+
+mnemonic:
+  value: ""
+  fromSecret:
+    name: ""
+    key: mnemonic
+
+attesters:
+  attestersPerNode: 1
+  nodeCount: 1
+  mnemonicStartIndex: 2000
+  keyStoreSecret:
+    create: true
+    name: "" # if empty name will be generated based on Release.Name
+  addressConfigMap:
+    create: true
+    name: "" # if empty name will be generated based on Release.Name
+
+publishers:
+  perValidatorKey: 1
+  mnemonicStartIndex: 5000
+  keyStoreSecret:
+    create: true
+    name: "" # if empty name will be generated based on Release.Name
+  addressConfigMap:
+    create: true
+    name: "" # if empty name will be generated based on Release.Name
+
+serviceAccount:
+  create: true
+  name: "" # leave empty to generate a name based on Release.Name
+  annotations: {}

spartan/aztec-network/files/config/setup-attester-keystore.sh

@@ -65,8 +65,7 @@ publishers=()
 if [ -n "$WEB3_SIGNER_URL" ]; then
   remoteSigner=$(jq -n '{remoteSignerUrl: $url}' --arg url "$WEB3_SIGNER_URL")
   attesters=(${addresses[*]})
-  # TODO: use addresses here when web3signer supports EIP-4844 txs. See PR https://github.com/Consensys/web3signer/pull/1096
-  # publishers=(${publisher_addresses[*]})
+  # TODO: switch to addresses once web3signer supports EIP-4844 txs. See https://github.com/Consensys/web3signer/pull/1096
   publishers=(${publisher_private_keys[*]})
 else
   remoteSigner="null"

spartan/aztec-node/scripts/setup-attester-keystore.sh

@@ -0,0 +1,124 @@
+#!/usr/bin/env bash
+set -eu
+
+VALIDATORS_PER_NODE=${VALIDATORS_PER_NODE:-1}
+PUBLISHERS_PER_VALIDATOR_KEY=${PUBLISHERS_PER_VALIDATOR_KEY:-1}
+
+# We get the index in the config map from the pod name, which will have the service index within it
+# For multiple validators per node, we need to multiply the pod index by VALIDATORS_PER_NODE
+POD_INDEX=$(echo $K8S_POD_NAME | awk -F'-' '{print $NF}')
+KEY_INDEX=$((POD_INDEX * VALIDATORS_PER_NODE))
+# Add the index to the start index to get the private key index
+PRIVATE_KEY_INDEX=$((KEY_INDEX_START + KEY_INDEX))
+
+# Calculate publisher key starting index for this pod
+PUBLISHER_KEY_INDEX=$((POD_INDEX * VALIDATORS_PER_NODE * PUBLISHERS_PER_VALIDATOR_KEY + PUBLISHER_KEY_INDEX_START))
+
+WEB3_SIGNER_URL=${WEB3_SIGNER_URL:-""}
+
+echo "POD_INDEX: $POD_INDEX"
+echo "KEY_INDEX: $KEY_INDEX"
+echo "KEY_INDEX_START: $KEY_INDEX_START"
+echo "PRIVATE_KEY_INDEX: $PRIVATE_KEY_INDEX"
+echo "PUBLISHER_KEY_INDEX_START: $PUBLISHER_KEY_INDEX_START"
+echo "PUBLISHER_KEY_INDEX: $PUBLISHER_KEY_INDEX"
+echo "WEB3_SIGNER_URL: ${WEB3_SIGNER_URL}"
+# Specific for validators that can hold multiple keys on one node
+echo "VALIDATORS_PER_NODE: ${VALIDATORS_PER_NODE}"
+echo "PUBLISHERS_PER_VALIDATOR_KEY: ${PUBLISHERS_PER_VALIDATOR_KEY}"
+echo "MNEMONIC: $(echo $MNEMONIC | cut -d' ' -f1-2)..."
+
+private_keys=()
+addresses=()
+
+# Generate validator keys (attesters)
+for ((i = 0; i < VALIDATORS_PER_NODE; i++)); do
+  current_index=$((PRIVATE_KEY_INDEX + i))
+  private_key=$(cast wallet private-key "$MNEMONIC" --mnemonic-index $current_index)
+  address=$(cast wallet address --private-key $private_key)
+
+  if [ -z "$WEB3_SIGNER_URL" ]; then
+    private_keys+=("$private_key")
+  fi
+  addresses+=("$address")
+done
+
+# Generate publisher keys
+publisher_private_keys=()
+publisher_addresses=()
+
+total_publishers=$((VALIDATORS_PER_NODE * PUBLISHERS_PER_VALIDATOR_KEY))
+
+for ((i = 0; i < total_publishers; i++)); do
+  current_pub_index=$((PUBLISHER_KEY_INDEX + i))
+  pub_private_key=$(cast wallet private-key "$MNEMONIC" --mnemonic-index $current_pub_index)
+  pub_address=$(cast wallet address --private-key $pub_private_key)
+
+  publisher_private_keys+=("$pub_private_key")
+  publisher_addresses+=("$pub_address")
+done
+
+remoteSigner=""
+attesters=()
+publishers=()
+
+if [ -n "$WEB3_SIGNER_URL" ]; then
+  remoteSigner=$(jq -n '{remoteSignerUrl: $url}' --arg url "$WEB3_SIGNER_URL")
+  attesters=(${addresses[*]})
+  # TODO: switch to addresses once web3signer supports EIP-4844 txs. See https://github.com/Consensys/web3signer/pull/1096
+  publishers=(${publisher_private_keys[*]})
+else
+  remoteSigner="null"
+  attesters=(${private_keys[*]})
+  # Without web3signer, use private keys for publishers
+  publishers=(${publisher_private_keys[*]})
+fi
+
+export KEY_STORE_DIRECTORY="/shared/config/keys"
+mkdir -p "$KEY_STORE_DIRECTORY"
+
+# Build validators array with multiple entries
+validators_json="["
+for ((v = 0; v < VALIDATORS_PER_NODE; v++)); do
+  if [ $v -gt 0 ]; then
+    validators_json+=","
+  fi
+
+  # Get the attester for this validator
+  if [ -n "$WEB3_SIGNER_URL" ]; then
+    attester="${addresses[$v]}"
+  else
+    attester="${private_keys[$v]}"
+  fi
+
+  # Get the publisher keys for this validator
+  validator_publishers="["
+  for ((p = 0; p < PUBLISHERS_PER_VALIDATOR_KEY; p++)); do
+    if [ $p -gt 0 ]; then
+      validator_publishers+=","
+    fi
+    pub_index=$((v * PUBLISHERS_PER_VALIDATOR_KEY + p))
+    validator_publishers+="\"${publishers[$pub_index]}\""
+  done
+  validator_publishers+="]"
+
+
+  validators_json+="{
+    \"attester\": \"$attester\",
+    \"coinbase\": \"$attester\",
+    \"publisher\": $validator_publishers,
+    \"feeRecipient\": \"0x0000000000000000000000000000000000000000000000000000000000000000\"
+  }"
+done
+validators_json+="]"
+
+# Create final JSON structure
+jq -n --argjson remoteSigner "$remoteSigner" \
+      --argjson validators "$validators_json" \
+'{
+  schemaVersion: 1,
+  remoteSigner: $remoteSigner,
+  validators: $validators
+}' > "$KEY_STORE_DIRECTORY/attesters.json"
+
+echo "Generated configuration for $VALIDATORS_PER_NODE validators with $PUBLISHERS_PER_VALIDATOR_KEY publishers each"